[Samba] unexpected password expiration

Rowland Penny rpenny at samba.org
Fri Sep 17 12:41:07 UTC 2021 

On Fri, 2021-09-17 at 12:54 +0200, mj via samba wrote:
> Hi!
> 
> Regarding password age / expiration, we have configured samba like:
> 
> > root at dadc:~# samba-tool domain passwordsettings show
> > Password information for domain 'DC=samdom,DC=company,DC=com'
> > 
> > Password complexity: on
> > Store plaintext passwords: off
> > Password history length: 24
> > Minimum password length: 14
> > Minimum password age (days): 0
> > Maximum password age (days): 0
> > Account lockout duration (mins): 30
> > Account lockout threshold (attempts): 10
> > Reset account lockout after (mins): 60
> > 
> > root at addc:~# samba-tool domain passwordsettings pso list
> > No PSOs are present, or you don't have permission to view them.
> 
>  From the above, we assume that our passwords will not expire. (and
> yes, 
> that is a bad idea, but it's the way it currently is)
> 
> However, a tool that we use (LAM) is reporting to two of our users
> that 
> their passwords are about to expire, and they need to set a new one.
> 
> LAM logs this:
> > 2021-09-17 12:28:22 Debug Checking
> > CN=user1,CN=Users,DC=samdom,DC=company,DC=com
> > 2021-09-17 12:28:22 Debug Last password change on 2021-08-10
> > 2021-09-17 12:28:22 Debug Number of days before warning 7
> > 2021-09-17 12:28:22 Debug Password expires on 2021-09-22
> > 2021-09-17 12:28:22 Debug Password notification on 2021-09-15 12:55
> > 2021-09-17 12:28:22 Info Not sending email to
> > CN=user1,CN=Users,DC=samdom,DC=company,DC=com because of dry run.
> 
> My question to the samba experts here is:
> 
> Is there another way password expiration settings can be configured
> in 
> samba/AD

No, you seem to have it set correctly.

> , or should we look at the tool in use (LAM) and is most likely 
> something going wrong with the calculations there?

Always possible, but not knowing the code, who knows ?
There are a few ways of determining if/when a users password expires:

There is the ms-DS-User-Password-Expired attribute, but this isn't
available to Samba.

There is the msDS-UserPasswordExpiryTimeComputed attribute, but again
this isn't available.

Finally there is the maxPwdAge attribute, this, along with the users
pwdLastSet attribute, can be used to calculate when the password
expires. However, if the maxPwdAge attribute doesn't exist or is set to
'0' , then no password should expire, so there should be no reason to
calculate when the password expires.

It is possible that LAM checks if maxPwdAge exists and, if it does,
then uses its contents to calculate the password expiry, even if it is
'0'

Rowland

More information about the samba mailing list